From e2cb0f28138ec639ca10ff82722c1a7793f721ce Mon Sep 17 00:00:00 2001
From: Avichal Rakesh <arakesh@google.com>
Date: Wed, 1 Feb 2023 15:56:40 -0800
Subject: [PATCH] Prevent non-system apps from read ro.usb.uvc.enabled

ro.us.uvc.enabled should not be readable from apps that can't or
shouldn't act on UVC support. This means all non-system apps. This CL
adds an explicit neverallow rule to prevent all appdomains (except
system_app and device_as_webcam).

Bug: 242344221
Bug: 242344229
Test: Build passes, manually confirmed that non-system apps cannot
      access the property
Change-Id: I1a40c3c3cb10cebfc9ddb791a06f26fcc9342ed9
---
 private/property.te | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/private/property.te b/private/property.te
index 5383300fd..4f806d437 100644
--- a/private/property.te
+++ b/private/property.te
@@ -687,3 +687,10 @@ neverallow {
   -init
   -vendor_init
 } usb_uvc_enabled_prop:property_service set;
+
+# Disallow non system apps from reading ro.usb.uvc.enabled
+neverallow {
+  appdomain
+  -system_app
+  -device_as_webcam
+} usb_uvc_enabled_prop:file no_rw_file_perms;